Just pulled the latest code from github and re-tested. Confirmed that it’s broken. Steps to reproduce:
Create a new user, this user should not be a moderator or an admin.
Create a new group with the following settings: Allow users to leave the group freely=True, Allow users to send membership requests to group owners=True, Who can see this group?=Everyone, Who can see this group's members?=Everyone, Who can @mention this group?=Only moderators and admins, Who can message this group?=Only moderators and admins.
Set the user to be the owner of the group.
While signed in as the group owner, try to add a different user to the group.
Or even just adding a more specific error to this.
E.g. instead of raising the InvalidAccess error with the (en) message: You are not permitted to view the requested resource.
Create a InsufficientTrustLevel error (perhaps as a subclass of InvalidAccess) with a (en) message: You do not have the required trust level to view the requeted resource. At least then admins can know it’s a TL issue and not a bug.
Some notes on where this stuff is defined in the codebase
I may be wrong, but I think this situation has arisen as part of the work we’re doing on improving the invite system. We are normalizing invites so they all use the same invitation system, and separating out the functions dealing with existing users. Most recently, we changed it so we notify existing users about topics now via the share button in the topic menu, separately from inviting new users to join the site and contribute to the topic.
We’ll want to do the same for groups - it’s already on our list to work on this, but now I guess it’s become more urgent if it means it’s not possible to add anyone to a group if you don’t have sufficient TL to invite new users to the site.